NASA 

Technical  Memorandum  105794 


A  Demonstration  of  an  Intelligent  Control 
System  for  a  Reusable  Rocket  Engine 

Jeffrey  L.  Musgrave  and  Daniel  E.  Paxson 
Lewis  Research  Center 
Cleveland,  Ohio 

4s? 

Jonathan  S.  Litt 

Propulsion  Directorate 

US.  Army  Aviation  Systems  Command 

Lewis  Research  Center 

Cleveland,  Ohio 

and 

Walter  C.  Merrill 
Lewis  Research  Center 
Cleveland,  Ohio 


Preprint  from  the  “Advanced  Earth-to-Orbit  Propulsion 
Technology  Conference,”  a  conference  held  at 
NASA  George  C.  Marshall  Space  Flight  Center 
Huntsville,  Alabama,  May  19-21,  1992 


92  9  25  1«5 


SYSTEMS  COMMAND 


A  DEMONSTRATION  OF  AN  INTELLIGENT  CONTROL  SYSTEM 
FOR  A  REUSABLE  ROCKET  ENGINE 


Jeffrey  L.  Musgrave 
Daniel  E.  Paxson 
NASA  Lewis  Research  CenJer 

Jonathan  S.  Litt 
US  Anny-AVSCOM 


Walter  CMeirill 
NASA  Lewis  Research  Center 
Cleveland,  Ohio  44135 


ABSTRACT 


DTICQDALriV  liMLix'ECTED  3 


An  Intelligent  Control  System  for  reusable  rocket  engines  is  under  development  at  NASA  Lewis  Research  Center. 
Tlie  primary  objective  is  to  e.xtend  the  useful  life  of  a  reusable  rocket  propulsion  system  while  minimizing  between  fliglil 
maintenance  and  maximizing  engine  life  and  performance  through  improved  control  and  monitoring  algorithms  and 
additional  sensing  and  actuation.  This  paper  describes  current  progress  towards  proof-of-coircept  of  an  Intelligent  Control 
System  for  the  Space  Shuttle  Main  Engine.  A  subset  of  identiEable  and  accommodatable  engine  failure  modes  is  selected 
for  preliminary  demonstration.  Failure  models  are  developed  retaining  only  first  order  effects  and  included  in  a  simplified 
nonlinear  simulation  of  the  rocket  engine  for  analysis  under  closed  loop  control.  Tlie  engine  level  coordinator  acts  u  an 
interface' between  the  diagnostic  and  control  systems,  and  translates  thrust  and  mixture  ratio  commands  dictated  by  mission 
requirements,  and  engine  status  (health)  into  engine  operational  strategies  carried  out  by  a  multivariable  control.  Control 
reconfiguration  achieves  fault  tolerance  if  the  nominal  (healthy  engine)  control  cannot.  Each  of  the  aforementioned 
functionalities  is  discussed  in  the  context  of  an  example  to  illustrate  the  operation  of  the  system  in  the  context  of  a 
representative  failure.  A  graphical  user  interface  allows  the  researcher  to  monitor  die  Intelligent  Control  System  and  engine 
performance  under  various  failure  modes  selected  for  demonstration. 


INTRODUCTION 


Reusable  rocket  engines  present  a 
very  challenging  operational  environment 
and  requires  high  performance,  low 
maintenance,  and  man-rated  reliability 
levels.  Multiple  start-stop  cycles  cause 
thermal  gradients  with  high  thermal  strains 
per  cycle  within  the  engine.  High  steady 
state  operating  stresses  create  large 
inelastic  strains.  High  dynamic  loads 
induce  high  cycle  stresses.  In  the  Space 
Shuttle  Main  Engine  (SSME),  an 
operational  version  of  a  reusable  rocket 
engine,  high  performance  and  reliable 
operation  have  been  achieved.  However, 
originally  predicted  levels  of  usable  lifei 
have  not  been  demonstrated  and  extensive 
between  flight  maintenance  has  resulted. 

Merrill  and  Lorenzo  have 
proposed  a  framework  outlining  specific 
functionalities  to  improve  the  durability 
of  the  SSME  which  include  active  control 

of  key  engine  parameters,  real  lime  Figure  1  Intelligent  Control  System  Functional  Framework 

diagnostics,  and  life  extending  control. 

A  ^nctional  framework  showing  the  various  capabilities  included  in  the  Intelligent  Control  System  (ICS)  is  given  in 
Figure  1.  The  principal  components  include  a  distributed  diagnostic  system,  an  intelligent  coordinator,  ai^  a 
reconfigurable  controller.  The  distributed  diagnostic  system  is  composed  of  sensor  validation,  a  model  based  failure 
detector,  a  rule  based  failure  detector,  ReREDS  (reusable  rocket  engine  diagnostic  sy.stem)  and  a  diagnostic  expert  system. 
ReREDS  is  a  condition  monitoring/diagnostic  software  system  developed  during  the  past  two  years  through  a  contract  with 
System  Control  Technology  (SCT)  and  Aerojet.  Tlie  engine  level  coordinator  in  Figure  I  makes  alterations  to  the  controller 
using  engine  status  information  generated  by  the  diagnostic  system,  and  propulsion  requirements  passed  down  by  the 
propulsion  level  coordinator  as  shown.  Each  SSME  is  part  of  the  propulsion  system  for  the  orbiter  vehicle  and  is 
orchestrated  by  the  propulsion  level  coordinator  whitrli  receives  thrust  vector  commands  from  the  flight  controller  to 
achieve  mission  success.  Ultimately,  the  engine  level  coordinator  must  satisfy  minimum  thrust  requirements  while 
minimizing  further  eomponent  degradation  and  accommodating  failed  or  degraded  engine  hardware.  The  reconrigurable 
controller  takes  requests  generated  by  the  coordinator,  makes  the  changes  gradually  thereby  minimizing  engine  transients, 
and  computes  the  valve  positions  to  achieve  tlie  requested  behavior  from  the  engine. 
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This  paper  describes  nn  ongoing  research  program  at  the  NASA  Lewis  Research  Center  to  demonstrate  an  ICS  for  a 
reusable  space  propulsion  system  (SSME).  A  significant  milestone  for  the  ICS  program  is  the  successful  integration  of  real 
time  diagnostics  with  a  reconfigurable  control?  providing  motivation  for  demonstration  with  a  subset  of  accommodatable 
failure  inodes.  The  focus  of  this  work  is  on  failure  mode  modelling,  controls  and  coordination,  and  the  graphical  user 
interface.  Detailed  discussion  of  the  distributed  diagnostic  system  appears  elsewhere^.  An  accommodation  strategy  for  a 
particular  failure  mode  is  discussed  in  detail  and  simulation  results  arc  presented  to  clarify  the  various  functionalities  and 
potential  benefits  of  the  Intelligent  Control  System. 

FAILURE  MODES 

Modelling  failure  modes  for  the  ICS  project  presents  a  difficult  challenge  due  to  several  competing  objectives. 
On  the  one  hand  there  is  the  desire  to  accurately  describe  the  progress  and  effects  of  a  given  failure  as  it  occurs.  Typically, 
this  requires  models  not  only  for  the  relevant  fluid  dynamics  but  for  the  structural  dynamics  as  well.  Such  models  are 
necessarily  computationally  intensive  and  time  consuming  to  develop.  On  the  other  hand,  there  is  the  desire  to  maintain 
simple  models  such  that  real  time  simulation  may  be  achieved  with  existing  computer  hardware.  The  real  time  requirement 
is  necessitated  by  the  fact  that  the  diagnostic  system  and  controller  under  development  will  eventually  be  placed  on  an 
actual  engine,  and  must  therefore  respond  within  the  appropriate  time  scale.  Simple  failure  models  also  reqtiire  much  less 
time  to  develop  and  arc  readily  available  for  use  in  detection  and  accommodation  studies  for  development  of  an  expert 
system  rule  base. 

At  this  point  in  time,  the  focus  of  the  project  is  proof  of  coiKept.  Therefore,  a  philosophy  of  maximum  simplicity 
has  been  adopted  for  the  task  of  modelling  rocket  engine  failures.  By  this  we  mean  that  the  consequences  of  a  given  failure 
are  sought  without  regard  to  the  cause  or  the  relative  time  that  the  failure  takes  to  develop.  The  following  discussion  details 
models  for  several  failure  modes  selected  for  demonstration  of  an  ICS.  Motivation  for  their  selection  will  be  presented, 
along  with  a  description  of  their  implementation  in  the  real  time  simulation  model  of  the  SSME3.  In  tiddition,  open  loop 
transients  of  key  engine  parameters  are  provided  to  illustrate  the  qualitative  behavior  of  the  models. 


The  following  five  failure  modes  have  been  selected  for  the  preliminary  ICS  demonstration;  a  failure  of  a  control 
sensor  (Pc),  a  frozen  Fuel  Preburner  Oxidizer  Valve  (FPOV).  a  Low  Pressure  Fuel  Turbo  Pump  (LPFTP)  shaft  seal  system 
failure,  a  High  Pressure  Fuel  Turbo  Pump  (HPFfP)  turbine  tip  seal  failure,  and  a  High  Pressure  Oxidizer  Turbo  Pump 
(HPOTP)  shaft  seal  system  failure.  One  of  the  primary  goals  of  the  project  is  to  examine  a  variety  of  techniques  for  failure 
detection  and  accommodation  since  no  one  is  expected  to  perform  well  for  all  types  of  failures.  The  modes  listed  above 
cover  a  broad  class  of  possible  problems  for  the  engine  with  the  exception  of  bearing  failures.  Unfortunately,  the  i,  il  time 
engine  simulation  used  for  this  work  does  not  readily  lend  itself  to  including  failure  inodes  involving  vibration,  or  other 
structural  phenomena. 

Sensor  failures  and  actuator  failures  are  among  the  most  straight  forward  to  implement  and  require  no  modelling. 
Consequently,  they  have  been  omitted  from  the  following  discussion.  The  HPOTP  shaft  seal  failure  has  been  covered 
extensively  elsewhereS  and  will  not  be  repeated  here. 


LPFTP  Shaft  Seal  System  Failure.  The  LPFTP  shaft  seal  system  prevents  the  relatively  hot  hydrogen  gas  which 
drives  the  low  pressure  turbine  from  mixing  with  tlie  liquid  hydrogen  being  driven  through  the  low  pressure  pump.  The 
seal  system  consists  of  two  seals.  One  is  a  labyrinth  seal  lociited  at  the  base  of  the  second  stage  turbine  blade.  The  other  is  a 
simple  ring  seal  on  tlie  shaft  itself.  Since  both  of  these  are  clearaiKe  type  seals,  a  small  amount  of  leakage  occurs  even  during 
normal  operation.  This  value  is  approximately  .49  Ibiti/sec.  Using  the  perfect  gas  assumption  the  flow  through  the 
labyrinth  seal  may  be  written  as 

1111,1,=  7T  Cd  d  ci,hPi|>rii  'J  /(PR)  (I) 

V  RTipiii 

where  Co  is  the  discharge  coefficient,  d  is  the  turbine  disk  diameter,  cini,  is  the  seal  clearance,  gc  is  the  gravitational  constant, 
R  is  the  real  gas  constant.  T  and  P  are  the  LPFTP  turbine  inlet  temperature  and  pressure  respectively,  and  PR  is  the  pressure 
ratio  across  the  seal.  i.e.  Pcii/Pipfii.  In  this  equation  /(PR)  has  the  form 

/(PR)  =.  J  l-PR*^  .  (2) 

V  5  -  In(PR) 

Assuming  adiabatic  flow  and  choked  conditions,  the  flow  through  the  ring  seal  may  be  written  as 

niiiiig  “  0,685  71  Co  d  Cii„gPc,it  *? /  •  •  - —  (3) 


where  d.  and  Crinii  now  correspond  to  the  shaft  diameter  and  the  ring  seal  clearance  respectively.  Tlie  multiplicative  constant 
.685  is  obtained  using  a  specific  heat  ratio  for  hydrogen  gas  of  1.4.  Assuming  a  common  discharge  coefficient  of  0.9  for 
both  seals  and  disk  and  shaft  diameters  of  6.0  and  2.0  inches  respectively,  equations  1  and  3  may  be  equated  and  the 
common  terms  eliminated  to  obtain 
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«  4.381 


/(PR) 
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This  equality  cannot  be  rearranged  to  obtain  an  analytical  expression  for  the  pressure  ratio  PR  as  a  function  of  clearance  due 
to  the  nature  of  /(PR).  However,  an  approximation  can  be  obtained  by  expanding  equation  4  in  a  Taylor  series  about 
PR»1.  Tlie  result  is 


where  CR  =Criiij/ciab  and  0(CR)  is 


PR 


1  +  Vl  +  .75  P(PR) 

P(PR) 


P(CR)  =  1.303  CR^  +  7.0. 


{5) 


(6) 


Thus  with  the  clearance  of  each  seal  known,  and  the  LPFTP  turbine  inlet  slate  known,  equation  5  may  be  used  to  obtain  PR. 
With  PR  known.  Pe^ii  is  known,  and  equation  3  may  be  used  to  obtain  the  flow  rate  through  tlie  seal. 

The  clearance  of  the  ring  seal  must  be  specified  and  a  failure  of  the  system  is  initiated  by  using  a  clearance  which  is 
much  larger  (approximately  a  factor  of  ten  for  the  demonstration)  than  the  nominal  value  which  is  assumed  to  be  3  mils. 
The  clearance  of  the  labyrinth  seal  depends  upon  the  speed  of  the  turbine.  Specifically,  the  governing  equation  may  be 
written  as 


where  lo  is  the  turbine  shaft  speed  in  rad/'sec.  The 
constants  ai  and  az  where  chosen  such  that  the 
clearance  is  S  mils  at  100  percent  power  and  0  mils 
at  full  power. 

The  LPFTP  shaft  seal  model  has  been 
implemented  on  the  real  time  SSME  simulation  by 
introducing  these  equations  into  the  code.  The 
mass  flow  rate  through  the  seal  system  was 
subtracted  from  the  low  pressure  fiiel  turbine 
discharge  mass  flow  and  added  to  the  pump 
discharge  mass  flow.  The  pump  discharge 
temperature  was  modified  to  account  for  the  hot  gas 
mixing  with  the  cold  liquid.  Figures  2a.  2b.  and  2c 
show  the  open  loop  response  of  the  shaft  seal  failure 
at  rated  power.  Chamber  pressure  was  insensitive  to 
the  shaft  seal  failure,  and  has  been  omitted.  The  seal 
degradation  is  shown  on  all  plots  to  occur  at  four 
seconds  and  take  place  over  a  two  second  interval  at 
a  constant  ramp  rate.  For  the  failure  shown,  the 
leakage  rate  from  the  turbine  to  the  pump  increased 
from  a  nominal  0.486  Ibm/sec  to  1.66  Ibm/sec 
causing  a  decrease  in  the  LPFTP  pump  discharge 
pressure  shown  in  Figure  2a  as  the  turbine  pumps 
less  fuel  from  the  tank.  Figure  2b  shows  how  the 
ittcrease  in  hot  gas  entering  die  cool  fuel  from  the 
supply  tank  results  in  a  slight  increase  in  pump 
discharge  temperature.  Both  the  discharge  pressure 
and  temperature  along  with  the  volumetric  fuel 
flow  from  the  pump  and  chamber  pressure  are  used 
to  estimate  the  mixture  ratio  in  the  main 
combustion  chamber.  Figure  2c  shows  how  the 
relatively  minor  leakage  causes  the  mixture  ratio 
estimate  to  degrade.  The  degradation  is  caused  by 
the  relatively  large  drop  in  the  pump  discharge 
pressure.  The  poor  mixture  ratio  causes  some 
difficulties  for  (he  multivariable  control  approach 
and  is  discussed  in  some  detail  later.  The  LPFPP 
shaft  seal  failure  model  provides  the  qualitative 
behavior  of  interest  for  closed  loop  analysis  and 
development  of  accommodation  strategies. 

HPFTP  Turbine  Tip  Seal  Failure.  Turbine 
tip  seals  are  designed  lo  prevent  leakage  of  gas 
between  the  outside  ends  of  the  turbine  blades  and 


ci„i,  =  0.005  -ai  ( -  82  )  (7) 


Time  (sec) 

Figure  2a  Open  Loop  Response  of  LPFTP  Discharge  Pressure  to 
LPFT  Shaft  Seal  Degradation 


Figure  2b  C^n  Loop  Response  of  LPFTP  Discharge  Temperature  to 
LPFT  Shaft  Seal  Degradation 
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the  turbine  casing.  The  rate  of  leakage  which 
occurs  in  this  region  is  generally  very  small 
compared  to  the  total  flow  through  the  turbine; 
however,  the  effect  on  performance  can  be 
significant.  1'he  fluid  leaking  around  the  tip  of  the 
turbine  blade  disturbs  the  flow  field  on  the  rest  of 
the  aerofoil  in  a  manner  simihv  to  crossflow  over  an 
airplane  wing.  This  results  in  reduced  lifting 
capacity  of  the  blade  and  therefore  reduced  o 
efficiency  of  the  turbine.  In  order  to  prevent  this  <3 
effect,  turbine  blades  are  often  shrouded  on  the  ® 
ends.  The  shroud  reduces  the  crossflow  and  5 
subsequent  sensitivity  to  tip  leakage.  Furthermore,  x 
the  shroud  is  typically  equipped  with  a  labyrinth  S 
type  tip  seal  which  cuts  down  significantly  on  the 
leakage  flow.  The  HPFTP  does  not  have  shrouded 
blades  however,  due  to  high  speed  and  inlet 
temperature.  Sealing  is  therefore  affected  by 
maintaining  as  small  a  clearance  as  possible 
between  the  blade  lip  and  the  housing.  A  seal 
failure  represents  a  change  in  this  clearance  to  some 
value  significantly  larger  than  the  design  value. 
Experiments  demonstrate?  that  the  relationship 
between  turbine  efficiency  and  lip  clearance  is 
generally  linear;  however,  the  slope  is  strongly 
dependent  on  the  number  and  degree  of  reaction  of 
the  turbine  stages.  Although  it  has  been 
determined  to  be  a  relatively  likely  failure*,  no 
actual  mention  of  the  cause  of  the  lip  seal  clearance 
change  has  been  made  or  the  degree  of  clearance 
change  that  is  expected.  Figures  3a.  3b,  and  3c 
demonstrate  the  qualitative  behavior  of  this  failure 
in  an  open  loop  simulation  of  the  real  time  SSME 
model  for  a  10%  ramp  decrease  in  turbine  _ 
efficiency  beginning  at  four  seconds.  Figure  3a  JS' 
shows  a  relatively  slight  decrease  in  chamber  a 
pressure  resulting  from  the  decrease  in  the  HPFTP  'o 
pump  discharge  pressure.  The  pump  discharge  5 
pressure  drops  because  the  turbine  is  doing  less  g 
work  on  the  fluid  for  the  given  preburner  £ 
temperature.  Figure  3b  shows  both  the  estimated  j 
and  actual  MRs  rising  because  of  the  drop  in  fuel  .a 
being  pumped  by  the  HPFTP.  Notice  the  slight  g 
degradation  in  the  MR  estimate  as  the  failure  g 
propagates  to  its  full  value  at  six  seconds.  This 
degradation  in  the  estimation  scheme  does  not 
cause  difficulties  with  the  MVC  as  in  the  case 
disctissed  above.  Figure  3c  shows  a  dramatic  rise  in 
the  HPFTP  discharge  temperature  resulting  from 
the  decrease  in  the  turbines  ability  to  remove 
energy  from  the  hot  gas  of  the  preburner.  The  open 
loop  responses  shown  in  these  figures  typify 
behavior  for  a  decrease  in  efficiency  of  the  liigh 
pressure  fuel  turbine  and  coincide  with  our 
physical  understanding  of  the  failure  and  its  impact 
on  performance  parameters. 


Figure  2c  Open  Loop  Response  of  Mixture  Ratio  to  LPFT 
Shaft  Seal  Degradation 


Figure  3a  Open  Loop  Response  of  Chamber  Pressure  to  HPFT  Tip 
Seal  Degradation 


CONTROLS  AND  COORDINATION 

The  control  and  coordination  functions  lie  at  the  heart  of  the  intelligent  control  system.  Selection  of  failure 
modes  for  an  on-line  diagnostic  system  is  driven  by  the  ability  to  accommodate  such  failures  or  degradations  in  hardware 
using  existing  sensing  and  actuation.  Additional  sensing  and  actuation  hardware  may  be  considered  by  weighting  expected 
costs  against  benefits  in  conjunction  with  the  likelihood  of  the  failure  occurring  and  the  effect  if  left  unattended.  For  this 
work,  an  additional  actuator  was  selected  for  inclusion  in  an  engine  model  based  on  recommendations  from  a  study 
performed  by  Rocketdyne**  under  contract  to  NASA  LeRC.  In  addition,  the  instrumentation  set  on  the  Marshall  Space 
Flight  Center  Technology  Test  Bed  is  assumed. 

NOMINAL  MULTIVARIABLE  CONTROLLER 

Control  of  the  SSME  is  accomplished  through  five  valves  shown  in  Figure  4.  In  particular,  the  Main  Oxidizer 
Valve  (MOV),  Main  Fuel  Valve  (MFV),  Coolant  Control  Valve  (CCV),  Oxidizer  Prebumer  OxkJizer  Valve  (OPOV),  and 
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Fuel  Prcluirner  Oxidizer  Valve  (FPOV)  arc  open 
loop  scheduled  to  perform  the  startup  and  shutdown 
operations.  In  the  actual  SSMF.  controller  (Block  I). 
only  FPOV  and  OPOV  are  used  as  closed  loop 
control  valves  for  inainstage  operation.  To 
analytically  explore  the  benefits  of  enhanced  engine 
controllability,  the  Oxidizer  Preburner  Fuel  Valve 
(OPFV)  was  added  while  the  previous  five  valves  o 
were  also  considered  for  closed  loop  control  during  a 
inainstage  >0.  ^ 

s. 
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A  number  of  measurement  locations  are  x 
shown  in  Figure  4  which  represent  a  subset  of  the  is 
SSME  test  bed  sensor  suite.  The  discharge  pressure 
and  temperature  of  the  Low  Pressure  Fuel 
Turbopump  (Pr,ii  andTrui  respectively)  as  well  as 
volumetric  fuel  flow  (Qrim).  and  chamber  pressure 
(Pt)  are  used  for  estimating  ini.xture  ratio  (MR)  in  the 
existing  SSME  Block  I  controller.  The  discharge 
pressure  of  the  High  Pressure  Fuel  Tuibopuinp  (Puij), 
the  discharge  temperatures  of  the  High  Pressure  Fuel 
and  Lox  Turbines  (Tft2d  and  Totid  respectively), 
the  pressure  of  the  Fixed  Nozzle  Heat  Exchanger 
(P4).  the  pressure  of  the  Main  Chamber  Heat 
Exchanger  (P.i),  and  the  fuel  supply  pressure  of  the 
preburners  (Pq)  are  used  in  conjunction  with  Pc  to 
form  the  sensor  suite  for  the  multivariable  control. 

Multivariable  control  (MVC)  methods 
generally  rely  on-linear  state  space  models  of  the  S' 
process  to  be  controlled.  A  perturbation  model  of  a 
simplified  {39  slate)  nonlinear  dynamic  engine  & 
model  at  rated  power  was  used  for  control  designio.  S 
The  linear  models  of  the  SSME  change  very  little  „ 
from  the  65%  to  the  109%  power  (thrust)  level,  g* 
therefore  gain-scheduling  was  not  requireJ.  MVC  5 
allows  the  integration  of  multiple  objectives  of  Pc.  « 
Mr.  Tft2d.  and  Tot2d  command  following  for  Q 
example,  while  decoupling  each  of  the  control  loops  t 
from  the  others  using  all  six  valves  in  Figure  4  as  ^ 
closed  loop  control  valves. 


- Actual  . Estimated 


Figure  3b Open  Loop  Response  of  Mixture  Ratio  to  HPFT  Tip  Seal 
Degradation 


Figure  3c  Open  Loop  Response  of  HPFT  Discharge  Temperature  to 
HPFT  Tip  Seal  Degradjition 

However,  a  performance  versus  robustness 


The  nominal  controller  is  designed  with 
the  objective  of  providing  the  highest  degree  of 
fault  tolerance  and  robustness  possible  for  the 
engine  using  all  available  valves  and  some  subset  of 
available  sensors  while  meeting  specified 
performance  constraints.  Ideally,  the  sensors  selected 
for  state  estimation  in  the  state  feedback  controller 

would  be  the  most  reliable  and  most  accurate  of  the  available  instnimentation. 
tradeoffs  must  be  made  if  the  most  reliable  sensors  result  in  a  non-ininimuin  phase  realizatioiilO. 


A  fault  tolerant  and  robust  control  design  for  a  rocket  engine  may  be  achieved  in  two  ways  using  multivariable 
control.  The  first  involves  designing  the  controller  to  l>e  inseirsitive  to  variations  in  the  engine,  mixielling  errors,  and 
sensor  noise.  A  variety  of  formalized  techniques  for  accomplishing  this  arc  available  in  the  controls  literature  based  upon 
the  design  methodology  used.  The  second  involves  wisely  selecting  the  variables  for  closed  loop  control.  For  example,  a 
"traditional"  control  design  would  allow  set  point  control  of  both  Pc  and  MR  to  provide  variable  throttling  and  near 
con.stant  combtistion  temf)erature  in  the  main  chamber  over  a  range  of  power  levels,  respectively.  However,  for  a  staged 
combustion  cycle,  controlling  the  discharge  temperatures  of  the  high  pressure  turbines  provides  a  means  of  regulating  the 
combustion  temperatures  in  the  fuel  and  lox  preburners.  Moreover,  discharge  temperatures  are  redline  quantities  on  the 
S.SME.  Redline  cutoffs  resulting  from  a  decrease  in  fuel  turbine  efficiency  can  lie  avoidcdii.  In  general,  closed  loop 
control  of  redline  variables  may  widen  the  envelope  of  operation  for  the  engine  allowing  greater  flexibility  for  off  design 
operation.  Consequently,  a  fault  tolerant  multivariable  control  design  can  be  achieved  by  including  Tft2d  and  Tot2d  in 
the  controlled  variable  list  along  with  Pc  and  MR  for  the  set  point  controller.  However,  there  may  be  a  better  choice  given 
typical  variations  in  engine  builds  and  the  difficulty  of  providing  consistent  and  accurate  measurements  of  turbine 
discharge  temperature.  The  final  selection  must  depend  upon  the  practical  aspects  of  implementing  such  a  design  on  a  flight 
system. 


RECONKlCtJRiVBLE  CONTROL 

The  notion  of  altering  the  structure  of  the  controller  to  accommodate  changes  in  the  plant  is  very  attractive  for 
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fault  toleraiKC.  Much  work  has  been  done  in  the  area  of  aircraft  survivability  in  combat  situations  with  a  focus  on  actuator 
failures  resulting  from  battle  damagei2.  However,  most  approaches  are  heuristic  in  nature  due  to  the  difficulty  in 
generalizing  results  from  a  specific  application  and  vary  between  apriori  and  on-line  design.  A  common  theme  is  to 
distribute  the  control  effort  for  a  failed  actuator  over  the  remaining,  hopefully  somewhat  redundant  actuators  in  the  system. 

The  SSME  has  six 
valves  while  the  nominal 
engine  controller  has  only 
four  parameters  as 
controlled  quantities. 

Therefore,  it  would  appear 
that  the  engine  has  two 
redundant  valves  for 
independent  control  of  Pc, 

MR.  Tft2d  and  Tot2d  during 
mainstage  operation  since 
the  input  matrix  of  the 
design  model  is  not  rank 
deficient.  However,  the 
nominal  control  designiO 
does  not  use  MOV  or  MFV 
for  mainstage  operation 
since  these  two  valves  are 
primarily  for  startup  and 
shutdown.  In  fact.  MOV  and 
MFV  are  kept  wide  open  for 
all  power  ranges 
encountered  during 
mainstage  operation  in  the 
Block  I  controller. 

Therefore,  it  was  concluded 
that  these  valves  should  not 

be  moved  for  nominal  engine  operation  by  increasing  the  control  weighing  in  the  multivaritibic  design.  However,  these 
valves  can  play  a  major  role  in  accommodating  a  failure  in  one  or  more  of  the  primary  control  valves  (FPOV,  OPOV,  CCV 
and  OPFV). 

One  approach  for  control  reconfiguration  for  actuator  failures  is  shown  in  Figure  5.  The  basic  idea  is  to  design  a 
controller  for  each  of  the  failure  conditions  and  then  switch  designs  once  the  failure  is  identified  by  the  online  diagnostic 
system.  For  example,  if  the  position  of  FPOV  sticks  at  a  certain  time  in  the  mission,  then  a  control  law  (ui|>,)v)  designed 
without  the  column  corresponding  to  FPOV  in  tlic  B  matrix  of  the  design  plant  is  blended  with  the  nominal  control  (Unom) 
to  give  the  applied  control  (Uapp)  as 


Fuel  prebumer 


Sensors 

Valves 


Low-pressure 


-Oxidizer 

preburiior 


Figure  4  Modified  Propellant  Flow  Schematic  of  the  Space  Shuttle  Main  Engine 


u«|i|)(t)  =  (i-A(t))  Unom(t)  + MO  Ufpovft),  where  A(t)  €  [0.1  J.  (8) 

As  shown  in  the  figure,  the  nominal  and  off-nominal  control  designs  run  in  parallel  to  minimize  startup  transients  associated 
with  switching  between  controllers.  The  approach  is  straight  forward  from  both  a  conceptual  and  implementation 
standpoint.  The  difficulty  is  selecting  an  acceptable  blending  rate  A(0  between  the  nominal  control  and  the  new  control  for 
the  failure  condition.  Once  the  new  controller  is  active,  the  closed  loop  performaiKe  and  robustness  are  known  from  the 
apriori  design.  However,  the  iipproach  has  several  short  comings.  The  most  significant  being  the  high  number  of  parallel 
controllers  of  order  (N)  for  a  potentially  large  number  of  failure  scenarios  (M)  resulting  in  a  control  system  of  order  N*M 
making  implementation  of  such  a  system  in  flight  hardware  somewhat  impractical.  Another  potential  problem  involves 
integrator  windup  for  each  of  tlie  controllers  ninning  in  parallel  but  "off-line”.  Windup  may  result  in  transients  of  the  kind 
we  hoped  to  avoid  by  running  die  controllers  in  parallel  in  the  first  place.  However,  this  behavior  has  not  been  a  problem 
to  date  and  can  be  minimized  further  by  ramping  between  controllers  more  slowly.  The  approach  taken  is  not  a  panacea, 
however  it  does  allow  us  to  explore  the  potential  benefits  of  using  control  reconfiguration  in  a  relatively  straight  forward 
way. 

ENGINE  LEVEL  COORDINATOR 

The  engine  level  coordinator  may  change  the  setpoints  of  the  currently  controlled  variables  to  meet  performance 
constraints,  avoid  detrimental  operating  conditions,  change  the  controlled  variables  (i.e.  mode  switching),  or  select  an 
altern.nte  control  structure  to  accommodate  a  failed  or  degraded  component  in  the  engine  system  as  summarized  by  Figure  .*). 
Moreover,  degradations  or  failures  of  certain  engine  components  may  adversely  affect  performance  limits.  In  this  situation, 
the  coordinator  must  recompute  new  limits  based  on  information  provided  by  the  on-line  diagnostic  system.  The  engine 
level  coordinator  is  responsible  for  meeting  thrust  and  MR  requirements  set  by  the  propulsion  level  to  the  extent  possible 
while  avoiding  an  engine  shutdown  condition.  Engine  shutdown  is  determined  by  the  propulsion  level  coordination  based 
on  information  provided  by  the  engine  level  coordinator,  relative  health  of  the  remainder  of  the  propulsion  system,  and 
mission  safety  requirements.  Information  about  the  health  of  the  engine  and  the  necessary  performance  parameters  are 
supplied  to  the  propulsion  coordinator  to  aid  decision  making  at  that  level  about  each  engine's  thrust  and  MR. 

A  bottom  up  strategy  has  been  adopted  to  develop  algorithms  for  use  in  the  engine  level  coordinator.  For  the 
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Propulsion 


failure  modes  considered  thus  far.  only  the 
FPOV  sticking  has  resulted  in  any  identifiable 
coordination  activity.  If  the  valve  sticks  at 
some  point  during  the  Max  Q  maneuver,  the 
maximum  achievable  thnist  for  the  engine  will 
decrease  if  the  MR  setpoint  is  observed.  The 
job  of  the  coordinator  is  to  determine  the 
maximum  thrust  as  a  function  of  the  estimated 
position  of  the  stuck  valve  and  provide  this 
new  limit  to  the  controller.  The  HPFTP  turbine 
tip  seal  failure  could  have  coordination 
activity  by  changing  the  set  points  for  Pc. 

Tft2d.  and  Tot2d  bas^  on  the  estimated  change 
in  turbine  efficiency.  However,  the  MVC 
reaches  a  balance  without  any  explicit  changes 
in  commands?  thereby  making  the  problem  one 
of  potential  integrator  windup.  The  LPFTP 
shaft  seal  failure  may  require  some 
coordination,  but  this  work  must  wait  until  an 
alternative  MR  estimation  scheme  is  developed 
to  provide  a  suitable  value  for  the 
multivariable  control.  The  HPOTP  seal  system 
failures  have  no  direct  affect  on  performance 
parameters,  however  off  nominal  operation 
such  as  slowing  the  pump  down  may  help  to 

avoid  further  degradations.  However,  our  .  c  i.-  •  ui  d  e-  ui  ^  ■  c  u 

modelling  efforts  have  not  progressed  to  the  ^  Multivariable  Reconfigurable  Control  Scheme 

level  of  detail  which  would  allow  some  reasonable  assessment  of  the  effect  of  speed  on  seal  wear  during  failure  propagation. 
ACCQAIAIQDATIQN  STRATEGIES 


Accommodation  strategies  have  been  developed  for  the  sticking  of  FPOV  and  the  HPFTP  turbine  tip  seal  failure. 
The  simulation  results  for  accommodation  of  the  turbine  tip  seal  failure  have  been  published  elsewherel  I  and  will  not  be 
repeated  here.  Further  work  is  required  for  the  LPFTP  shaft  seal  and  possibly  the  HPOTP  shaft  se  .l  system.  The  MVC  is 
marginally  unstable  for  a  nontrivial  leakage  in  the  LPFTP  shaft  seal  when  using  the  MR  estimation  algorithm  developed  for 
the  Block  1  control.  The  reason  for  this  has  roots  in  the  differing  design  philosophies  between  Block  I  and  the  MVC.  The 
MVC  has  MR  as  the  “fast”  control  loop  while  the  Block  I  control  as  Pc  as  the  "fast”  loop.  Having  MR  as  the  faster  loop 
provides  better  control  of  temperature  deviations  in  the  engine  cycle  and  results  in  a  lower  order  controller  since  the  MR 
response  is  much  slower  dtan  Pc-  Oscillations  in  the  MR  response  result  from  the  impact  of  the  LPFTP  shaft  seal  failure  on 
the  quality  of  the  MR  estimate  as  shown  earlier  in  Figure  3a.  while  the  Block  I  control  experiences  no  difficulty  in 
regulating  Pc  and  MR.  Work  is  in  process  to  develop  an  alternative  MR  scheme  using  a  kalman  filter  to  alleviate  the 
marginal  instability  with  the  MVC. 

FPOV  Sticking.  The  sticking  of  the 
FPOV  during  the  thrust  bucket  of  the  SSME 
mission  could  result  in  extreme  structural 
loading  on  the  orbiter  vehicle  with  possible 
loss  of  mission  if  an  accommodation  strategy 
does  not  allow  completion  of  the  transient.  To 
accomplish  the  accommodation,  an  off- 
nominal  control  may  be  designed  which  makes 
use  of  the  remaining  valves 
(OPOV.MOV.MFV.CCV,  and  OPFV)  to  provide 
closed  loop  control  of  MR  and  Pc  while 
ignoring  turbine  discharge  temperatures.  Once 
the  on-line  diagnostic  system  has  diagnosed  the 
failure  and  estimated  the  position  of  the  failed 
valve,  the  coordinator  can  compute  the 
maximum  possible  Pc  for  the  engine  without 
forcing  MR  off  nominal  (6.011).  The 
coordinator  generates  new  commands  for  the 
engine  and  initiates  control  blending  using  the 
approach  outlined  above.  Once  control 
reconfiguration  is  complete,  the  off  nominal 
control  provides  variable  throttling  and  MR 
control  throughout  the  remainder  of  the 
mission  with  a  new  limit  on  maximum  thrust 
for  that  engine. 

The  off-nominal  controller  without 
the  FPOV  is  synthesized  using  the  same  control  Figure  6  Chamber  Pressure  Response  for  Tlirust  Bucket  with  Valve  Failure 


- Uncoordinated  MVC 

- Uncoordinated  Thrust  Command 
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structure,  design  melliodniogy  niid  sensor  suite 
employed  with  the  nominal  controller.  Control  of 
MR  without  using  the  FPOV  is  n  very  difficult  task 
since  the  MR  response  depends  heavily  on  this  valve. 

In  fact,  the  Block  I  control  uses  FPOV  e.xclusively 
for  MR  regulation.  The  design  procedureiO  resulted  g 

in  a  controller  of  the  same  order  os  the  nominal 
control  and  uses  four  valves  (OPOV.  CCV.  OPFV  and  o 
MFV)  to  decouple  the  MR  from  the  Pc  response.  “ 

Theoretically,  decoupling  using  fewer  valves  is  g  5.5 
possible.  However  the  objective  was  to  demonstrate  2 
the  capability  of  recovering  from  a  failure  in  a  ^ 
primary  control  valve  while  preserving  control  of  Pc 
and  MR.  The  off  nominal  control  performs  ^ 

satisfactorily  over  mainstage  without  gain 
scheduling  as  does  the  nominal  control. 

4.5 

Figures  6  and  7  show  the  Pc  and  MR 
responses  for  the  thrust  bucket  maneuver, 
respectively.  Figure  6  includes  five  curves  with  two  Time  (sec) 

sets  of  two  being  identical  until  after  approximately 

the  eleven  second  mark  and  are  highlighted  with  a  Figure  7  Mixture  Ratio  Response  for  Thrust  Bucket  with  Valve 
rectangle.  The  coordinated  and  uiKoordinated  MVC  Failure 

and  thrust  command  demonstrate  the  importance  of  the  engine  level  coordination.  The  Block  I  controller  response  is 
included  for  reference  purposes  to  motivate  the  need  for  accommodation.  The  failure  of  FPOV  occurs  at  exactly  three 
seconds  into  the  transient  when  the  valve  locks  up.  The  responses  shown  assume  identification  takes  place  instantly  which  is 
certainly  unrealistic.  The  plots  show  the  best  you  can  do  with  the  reconfigurable  MVC.  Any  delay  in  identification  will 
degrade  the  performance  of  the  accommodation  scheme.  Very  little  perturbation  is  seen  during  accommodation  of  the  valve 
by  the  MVC  while  the  Block  I  control  is  smooth  since  OPOV  is  responsible  for  Pc  control.  Figure  7  shows  the  degradation 
in  MR  control  when  the  valve  sticks  for  both  MVC  and  Block  I.  However,  reconfiguration  of  the  MVC  by  four  seconds 
(blending)  begins  to  return  MR  to  the  design  point  while  the  Block  I  response  shows  the  coupling  between  Pc  and  MR. 

If  the  coordinator  docs  not  lower  the  maximum  Pc  for  the  engine  based  on  the  position  of  FPOV  then  the  responses 
shown  for  (he  "Uncoordinated  MVC  result.  Figures  6  and  7  show  the  tradeoff  between  Pc  and  MR  when  "too  much"  thrust 
is  requested  from  the  engine.  Neither  Pc  or  MR  can  meet  demand,  therefore  t)ie  MVC  balances  the  errors  based  upon  the 
relative  weights  used  in  the  design  procedure.  The  imbalance  is  exemplified  by  the  Block  I  control  which  meets  requested 
thnist  while  MR  in  Figure  7  increases 
to  1%  over  nominal.  If  coordination 
takes  "'-•rr.  then  the  responses 
labelled  “Coordinated  MVC  result. 

Figure  6  shows  how  a  decrease  in 
demanded  thrust  for  (he  MVC  can  be 
achieved  while  keeping  MR  in 
Figure  7  at  or  about  the  nominal 
setting.  A  decrease  in  demanded 
thrust  by  a  particular  engine  in  a 
propulsion  system  can  be 
compensated  for  by  other  "healthy” 
engines  in  the  cluster  without 
compromising  the  mission. 

INTELLIGENT  CONTROLS 
GRAPHICAL  USER  INTERFACE 

The  Graphical  User 
Interface  (GUI)  was  developed  to 
allow  the  ICS  to  be  monitored 
during  operation.  The  GUI  permits 
operators  to  observe  the  ICS  in  real¬ 
time  operation  as  it  accommodates 
faults  in  components,  sensors,  and 
actuators,  using  a  collection  of 
screens  designed  to  provide  a  clear 
illustration- through  plots,  text,  and 
animation-of  the  entire  process.  The 
GUI  is  a  full-color,  object-oriented  Figure  8  Main  Screen  for  the  Intelligent  Control  System  Graphical  User  Interface 
system  consisting  of  a  set  of  screens  arranged  hierarchically,  bach  screen  consists  of  three  windows;  a  mouse-sensitive 
graphical  display  window  containing  a  diagram  of  a  component  or  system,  a  plotting  window  depicting  time  responses  of 
key  variables  a.ssociated  with  that  component  or  system,  and  an  interactive  type-out  window  displaying  messages  and 
allowing  the  user  to  enter  commands.  When  the  mouse  pointer  is  over  a  selectiibie  object  in  the  mouse-sensitive  graphical 
display  window,  a  box  appears  around  the  object  and  its  name  is  displayed  at  tlic  bottom  of  the  screen.  Clicking  on  it  brings 
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up  (Ilf  scrcfii  corresponding  to  (lie  object.  The  hierarchy  of  screens  may  be  viewed  in  this  manner.  Figure  8  shows  an 
example  screen.  The  lop  window  contains  a  view  of  the  space  shuttle  main  engine  composed  of  selectable  objects,  the 
window  on  the  lower  left  displays  messages,  and  that  on  the  lower  right  displays  plots.  One  of  the  components  is  selected  ns 
indicated  by  the  box  around  it  and  its  name  is  displayed  in  the  lower  left  corner  of  the  figure.  The  GUI  plots  time  responses 
of  important  variables  and  indicates  failures  to  the  user  through  messages  in  the  type-out  window  and  by  causing  failed 
mouse-selectable  components  to  flash.  The  user  may  bring  up  more  detailed  screens  by  clicking  on  the  objects.  Because  of 
the  modular,  object-oriented  nature  of  the  GUI.  the  creation  of  additional  screens  is  simple  and  quick.  Thus  appropriate 
screens  can  be  added  easily  as  more  failure  modes  are  incorporated  into  the  testbed  system. 

SUMMARY 

Demonstration  of  an  Intelligent  Control  System  for  reusable  rocket  engines  (SSME)  is  on-going  at  NASA  LeRC. 
To  facilitate  this  process,  a  preliminary  subset  of  failure  inodes  was  selected  from  the  set  of  all  accommodatable  failure 
modes.  In  particular,  failure  of  a  control  sensor  (Pc),  a  frozen  Fuel  Preburner  Oxidizer  Valve,  a  Low  Pressure  Fuel  Turbo 
Pump  shaft  seal  failure,  a  High  Pressure  Fuel  Turlio  Pump  turbine  tip  seal  failure,  and  a  High  Pressure  Oxidizer  Turlw  Pump 
shaft  seal  failure  were  selected.  Due  to  the  requirement  of  accommodating  engine  failures  or  degiadations.  hot  fire  data 
cannot  be  used  in  closed  loop  evaluation  and  serves  to  validate  health  monitoring  algorithms  only.  Consequently,  a 
modelling  effort  is  ongoing  to  study  the  effects  of  the  failures  on  SSME  performance  and  some  results  to  date  have  been 
included.  Modelling  has  focused  on  first  order  effects  and  little  attention  has  been  paid  to  the  propagation  of  failures  or  the 
potential  negative  impact  of  off  nominal  operation  of  the  engine  and  subsequent  failures.  These  are  important  issues, 
however  our  focus  is  constrained  given  available  resources  to  address  this  complex  problem.  The  failure  models  are  used  to 
study  the  behavior  of  the  engine  as  a  failure  occurs  during  closed  loop  operation  with  a  nominal  engine  controller.  If 
unacceptable  behavior  results,  the  operating  point  or  the  set  of  controlled  variables  or  both  is  changed  to  accommodate  the 
problem  by  the  engine  level  coordinator.  If  none  of  these  actions  resolves  the  anomalous  behavior,  an  alternate  control 
design  is  performed  off-line  to  meet  the  requirement  of  fault  tolerance.  A  reconfiguration  scheme  has  been  presented  which 
allows  switching  between  predesigned  controllers  running  in  parallel  based  on  the  identified  engine  failure.  An  example 
using  a  stuck  Fuel  Preburner  Uxidizer  Valve  was  given  to  illustrates  these  ideas  on  a  realtime  simulation  of  the  SSME. 
Results  show  that  successful  accommodation  of  primary  control  valves  can  be  achieved  using  control  reconfiguration  in 
conjunction  with  a  multivariable  design  methodology.  Finally,  the  graphical  user  interface  for  the  Intelligent  Control 
System  project  was  presented  which  aides  the  analysis  of  the  system  during  accommodation  of  simulated  engine  failures. 
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